The payload is mainly handled by ‘StarfieldInstall.app’. When the user inputs the password, the installation continues by sending a HTTP request to the server as follows:

GET /moduleinfo HTTP/1.1

User-Agent: StarfieldInstall/1.0

Host: na.secureserver.net

Accept: *.*

‘Moduleinfo’ is a JSON text which ‘StarfieldInstall.app’ parses and evaluating the content of a JSON string. For example, it reads and evaluate which package appropriate to the user: Windows or Mac.

{ "win" :

…

, "mac" :

It also evaluates the installation requirement, example:

, "mac" :

[ { "file" : "StarfieldInstall.App"

, "version" : 4

, "source" : "starfieldinstall.zip"

, "app" : "*"

, "type" : "util"

, "adminRequired" : false

, "osMin" : [10,4]

}

‘StarfieldInstall’ compares this requirement defined by JSON file ‘moduleinfo’ before it downloads, extracts and run the latest package resulting to installation of the following:

starfieldinstall.zip

starfieldupdate.zip

fileedittool64.plugin.zip

fileedittool.zip

WBETools14.plugin

wbetools64.zip

copypaste.xpi

zoomext.xpi

offdavhelper_mac4.zip

offdavhelper_mac.zip

offsettings.bundle.zip

wbesettings.bundle.zip

drivemapreconnect.zip

backupstatus.zip

offsync_mac.zip

desktoptools.zip

wbedesktopnotifier.zip

So far we have 17 files here and 4 of these files do not require root password. It is important to take note that ‘StarfieldUpdate.app’ is always running in the background and launch ‘StarfieldInstall.app’ to perform the following:

– Evaluating JSON text ‘moduleinfo’ for update

– Download and installation of latest versions

– Discovery of products installed

– Running privileged shell command

It installs two Firefox extensions and plugins, which is persistent. It means that you can’t just click ‘uninstall’ to remove it . In Firefox, click Tools and Addons to view the installed Extensions and Plugins as shown below:

Another notable process created is ‘OffSyncService’ which is always running in the background .

In conclusion, this is a nasty and abusive application that performs remote activities and installation of unwanted plugins and application without user consent. It is a bloatware and a backdoor.